Author: Dan Briggs | Published: 3 July 2026 | Reading time: 15 minutes
Executive summary
There is a feature buried in every Microsoft 365 tenant called Direct Send. Most Australian businesses have never heard of it, yet it is one of the easiest ways for a criminal to send an email that looks like it came from one of your own staff. No password. No hacked mailbox. No malware. They simply post a message to your tenant using your own domain name, and Microsoft has historically waved it through.
Attackers have worked this out. Security researchers at Varonis documented a phishing campaign that abused Direct Send against more than 70 organisations from May 2025 onwards, and Cisco Talos has since reported a steady rise in the same technique being used for business email compromise. Microsoft’s own advice is blunt: most customers do not need Direct Send at all.
The reason this belongs on your desk right now is timing. From early 2026, Microsoft began switching Direct Send off by default for newly created Microsoft 365 tenants. Existing tenants, which is almost every established Australian business, still default to on. That means the protection exists, Microsoft recommends it, and the responsibility to turn it on sits with you.
This paper explains what Direct Send is without the jargon, why it is a live fraud risk rather than a theoretical one, and the practical steps to shut it down. It also covers the part most articles skip: how to turn it off without breaking the printers, scanners and line-of-business apps that may quietly depend on it. The single most valuable outcome here is stopping an attacker from impersonating your finance team for the cost of a five-minute configuration change.
What has changed: Microsoft now blocks Direct Send by default for new tenants
In April 2025, Microsoft added a tenant-level setting to Exchange Online called Reject Direct Send. When it is switched on, Exchange refuses any unauthenticated message that arrives claiming to be from one of your own domains unless that message can be tied to an inbound connector you deliberately set up. Blocked messages bounce with a specific error: 550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources. The change takes effect across the service within about 30 minutes.
Then came the more telling move. Microsoft confirmed on its Exchange team blog that from early 2026 it would start creating new Microsoft 365 tenants with Reject Direct Send already turned on. When a vendor changes a default, it is telling you which way it thinks the setting should point. New customers now get the safer configuration automatically.
Established businesses do not. If your tenant was created before 2026, and the overwhelming majority of Australian businesses reading this were, the old default still applies and Direct Send remains open unless someone has explicitly closed it. Microsoft has given you the switch and recommended you use it, but it will not flip it for you on an existing tenant, because doing so could break mail flow you rely on. That trade-off, safety versus disruption, is exactly what the rest of this paper is about.
We covered a related Microsoft deadline in our briefing on how Microsoft is switching off Basic Authentication for email in December. The two changes are connected, and later in this paper we explain why they need to be planned together rather than one at a time.
What Direct Send actually is, in plain English
Every Microsoft 365 tenant is given a unique mail endpoint that follows the pattern yourdomain-com.mail.protection.outlook.com. It is the address the public internet uses to deliver email to your mailboxes. Direct Send is a method that lets a device or application on your network send email to your own staff through that endpoint, using your own domain in the From line, without signing in.
It exists for a practical reason. A multifunction printer that scans a document and emails it to a staff member does not have a mailbox of its own. Neither does a booking system that sends a reservation confirmation, or a practice-management tool that emails a client statement. Direct Send was the low-effort way to let those devices push mail to internal recipients without anyone managing a username and password for the printer.
The catch is in how Exchange treats the message. Because Direct Send deliberately mimics anonymous mail arriving from the internet, it does not require authentication. The only thing that marks it as yours is the domain name in the sender address, and a domain name is public information. Anyone who knows your domain, which is printed on your website, your email signatures and your invoices, can connect to that same endpoint from anywhere in the world and post a message that says it is from accounts@yourdomain.com.au. Exchange has no password to check, so historically it accepted the message and delivered it to the mailbox.
That is the whole trick. There is no clever exploit and no software flaw. The feature is working exactly as designed. The problem is that a design intended for a printer in the corner of your office also works perfectly for a fraudster on the other side of the planet.
Why it matters: your own domain, turned into a fraud tool
An email that appears to come from a colleague clears the highest hurdle in any scam, which is trust. Staff are trained to be sceptical of outside senders. They are far less guarded when the message looks like it came from the payroll officer, the practice manager or the director. Direct Send hands an attacker that internal appearance for free.
The money follows a well-worn path. This is the engine behind business email compromise, where a message that looks internal asks for a bank account to be changed, an urgent invoice to be paid, or payroll details to be updated. The figures in Australia are not small. The Australian Signals Directorate’s Annual Cyber Threat Report 2024–25 put the average self-reported loss from business email compromise for small and medium businesses at more than $97,000 per incident, and found that email compromise remained the most reported cybercrime affecting Australian businesses, making up around 15 per cent of all business-related reports. The same report recorded the average cost of a cybercrime incident for businesses rising by half, to roughly $80,850.
Direct Send is particularly dangerous because it sidesteps a control many businesses assume protects them: multi-factor authentication. MFA stops a criminal logging in to a mailbox. It does nothing about a message that never touches a login, because Direct Send does not use one. A business can have MFA switched on everywhere and still have its own domain used against it. We wrote separately about the wider pattern of invoice and payment redirection scams that spike around the end of the financial year, and Direct Send is one of the quieter delivery methods behind them.
There is a second cost that arrives later. When your domain is used to send fraudulent mail, and you have not published the records that tell the world which servers may send on your behalf, your legitimate email starts landing in junk folders and your sender reputation slips. The clean-up is slow and the reputational damage with customers who received a scam apparently from you is worse. If you want a sense of the full bill, our guide to the true cost of a cyber incident for a business your size breaks down the parts that never show up on the initial invoice.
How to tell if your domain is already being abused
Most businesses find out the hard way, when a customer forwards a scam that appears to come from them, or a staff member queries an invoice nobody sent. You do not have to wait for that. A few signals are worth checking now. If staff report internal-looking emails that landed in junk, or messages from a colleague they never sent, treat it as a red flag rather than a glitch. A rise in bounce-backs for mail you did not send points the same way. The clearest evidence sits in your DMARC reports, the automated summaries that receiving mail systems send back showing who is sending under your domain. If you have never turned those on, that absence is itself the finding. We often switch DMARC reporting on for a new client and see, within days, exactly which overseas servers have been posing as their business. None of these checks require you to touch a setting or risk breaking mail flow, and together they tell you whether this is an abstract risk or one that is already costing you trust.
Who is most exposed, and what we keep finding in Australian tenants
The businesses at greatest risk are not the ones with the most technology. They are the ones with the most trust flowing through email and the least visibility of what their systems do in the background. Three groups stand out among the clients we work with.
Professional services firms
Accountants, financial planners, law firms and bookkeepers move money and instructions by email all day. A convincing message from a partner or the finance team is worth a great deal to an attacker, and these firms often run practice-management and document systems that send mail on the firm’s behalf. For a financial services firm, this also intersects with your obligations under professional and privacy standards, a theme we explored in our rundown of Microsoft 365 hardening settings every Australian business should change.
Hospitality groups
Venues and hotel groups run booking engines, property-management systems and point-of-sale platforms that fire off confirmations and receipts, frequently using the venue’s own domain through Direct Send. Head office also tends to trust internal-looking finance emails from individual sites. It is a large surface with a lot of moving parts and, usually, no in-house IT team watching it.
Not-for-profits
Lean teams, high staff turnover and a culture of getting things done make not-for-profits an easier target for a well-timed internal-looking request. Grant payments and supplier changes are exactly the transactions attackers aim at.
Here is the part that generic advice leaves out, and it is the single most useful thing we can tell you from managing Australian tenants day to day. In the environments we look after, Direct Send is almost never in use on purpose. When we audit a new client, it is a leftover: a photocopier configured by the vendor five years ago, a scan-to-email workflow nobody remembers setting up, or a legacy app that a former staff member wired in and never documented. The feature is switched on, quietly relaying a trickle of legitimate mail, and wide open to abuse the whole time.
That changes the nature of the job. The risk is not turning Reject Direct Send on. The risk is turning it on blind and discovering three days later that the invoices your bookkeeper scans to the accounts inbox have silently stopped arriving. We recently worked with a Central West NSW firm whose staff had started receiving convincing supplier-update emails apparently from their own accounts team, sent from outside the business through Direct Send. Closing the hole took minutes. Working out which internal systems still depended on the feature, so that nothing broke when we did, took the rest of the engagement. That sequence, find out what uses it, then close it, is the whole game.
What to do now: a seven-step action plan
You do not need to understand mail routing to get this right. You need to make sure the work below happens, in order, and that someone competent owns each step. If All IT manages your tenant, treat this as the checklist we are already working through for you. If someone else does, this is the conversation to have with them this week.
| Step | Action | Who | Priority |
|---|---|---|---|
| 1 | Inventory every device, printer and application that sends email using your domain, including scan-to-email, booking, accounting and alerting systems. | IT provider | This week |
| 2 | Identify which of those rely on Direct Send today, and note the internal addresses they send from and to. | IT provider | This week |
| 3 | Move each legitimate sender to an authenticated method or a locked-down inbound connector before you change anything (see the next section). | IT provider | 1–2 weeks |
| 4 | Enable Reject Direct Send on the tenant with Set-OrganizationConfig -RejectDirectSend $true. |
IT provider | After step 3 |
| 5 | Confirm your SPF, DKIM and DMARC records are published and that DMARC is set to reject spoofed mail. | IT provider | 1–2 weeks |
| 6 | Turn on impersonation and spoof protection in Microsoft Defender for Office 365 and review the alerts it raises. | IT provider | 2–4 weeks |
| 7 | Brief finance and reception staff that any request to change bank details must be confirmed by phone on a known number, never by reply. | Owner / manager | This week |
Two of these steps cost nothing and can happen immediately regardless of your IT arrangements: the staff briefing in step 7, and asking your provider to start the inventory in step 1. The verbal-confirmation rule for bank-detail changes is the cheapest fraud control in existence and it stops the majority of these scams even when a spoofed email gets through.
How to switch it off without breaking your printers and apps
This is where careful businesses come unstuck, so it is worth slowing down. Reject Direct Send does not care whether an unauthenticated message from your domain came from a criminal or from your own photocopier. It blocks both. If a device on your network still uses Direct Send when you flip the switch, its mail stops. The goal is to move every legitimate sender onto a method that survives the change first.
There are three durable ways to do that, and the right choice depends on the device.
Authenticated SMTP for modern devices
Newer printers and applications can sign in with a dedicated account before they send, which proves the mail is genuinely yours. This is the cleanest option where the hardware supports it. A note of caution that many articles miss: this needs to be modern, token-based authentication, because the old username-and-password method is itself being retired. That is the direct link to the Basic Authentication change we mentioned earlier, and it is why the two projects belong together.
A locked-down inbound connector
Where a device genuinely cannot authenticate, Exchange lets you create an inbound connector that trusts mail from a specific, fixed IP address, ideally paired with a certificate. Reject Direct Send makes an explicit exception for mail attributable to a connector you have configured, so your scanner keeps working while anonymous mail from everywhere else is refused. This is the safety valve for older equipment.
Retire the sender entirely
Often the honest answer is that the device does not need to email staff directly at all. A scanner can save to a SharePoint or OneDrive folder instead of emailing a PDF. An alerting tool can post to Teams. Removing an unnecessary mail sender is one less thing to secure and one less thing to break.
The reason to plan Direct Send and Basic Authentication together is that they close the two easy paths at the same time. If you rush to move a scanner onto a password-based SMTP relay to beat the Direct Send change, you will only have to redo the work when Basic Authentication is switched off. Do it once, properly, with modern authentication or a connector, and both deadlines are handled. This is exactly the kind of sequencing a managed provider should be doing quietly in the background so you never see the disruption.
Beyond the toggle: SPF, DKIM, DMARC and Defender
Reject Direct Send closes one specific door, spoofed mail sent to your own staff through your tenant. It does not, on its own, stop an attacker spoofing your domain to email your customers and suppliers from somewhere else entirely. For that you need the three email-authentication records working together, and they are worth understanding at a business level even if your provider configures them.
- SPF is a public list of the servers allowed to send email for your domain. Published correctly, with a strict ending, it tells receiving mail systems to distrust anything sent from elsewhere.
- DKIM adds a tamper-evident signature to your outgoing mail, so a recipient can confirm the message really came from you and was not altered on the way.
- DMARC ties the two together and tells the world what to do with mail that fails the checks. Set to a policy of reject, it instructs receiving systems to bin spoofed messages rather than deliver them.
The common failure we see is a DMARC record that exists but is set only to monitor, which watches spoofing happen and does nothing about it. Moving to an enforced reject policy is the step that actually protects your customers, and it needs to be done carefully so legitimate mail is not caught. On top of these records, Microsoft Defender for Office 365 adds impersonation and spoof-intelligence protection that flags messages designed to look like your key people. Together with Reject Direct Send, these controls form the layered defence that a single setting cannot provide. Our Microsoft 365 hardening guide walks through the wider set of changes that belong alongside them.
None of this is exotic or expensive. Most of it is already included in the Microsoft 365 Business Premium licence that many Australian firms already pay for. The gap is almost never the tools. It is that nobody has been given the job of switching them on and keeping them right.
Frequently asked questions
What is Microsoft 365 Direct Send and why is it a risk?
Direct Send is a Microsoft 365 feature that lets devices and applications send email to your own staff using your domain without signing in. Because it needs no password and only relies on your public domain name, an attacker anywhere in the world can use it to send messages that look like they came from your own people, which is a common way business email compromise and invoice fraud are delivered.
Does multi-factor authentication protect us from Direct Send abuse?
No. Multi-factor authentication protects logins to mailboxes, but Direct Send never logs in, so MFA does not apply. A business can have MFA enabled everywhere and still have its own domain spoofed through Direct Send, which is why the separate Reject Direct Send setting matters.
Will turning on Reject Direct Send break our printers or booking systems?
It can, if those devices currently rely on Direct Send and you have not moved them first. That is why the correct order is to inventory every device and app that sends mail, shift the legitimate ones to authenticated sending or a locked-down connector, and only then enable Reject Direct Send. Done in that order, nothing legitimate stops working.
Our Microsoft 365 tenant is a few years old. Is Reject Direct Send already on?
Almost certainly not. Microsoft only began switching this protection on by default for newly created tenants from early 2026. Established tenants still default to off, so unless someone has deliberately enabled it, Direct Send is still open on your tenant and the change is yours to make.
What is the single fastest thing we can do to reduce this risk today?
Tell your finance and reception staff that any request to change bank account details must be confirmed by phone on a known number, never by replying to the email. This verbal-confirmation rule costs nothing, takes effect immediately, and stops most business email compromise attempts even when a spoofed message gets through.
Talk to All IT Services
Closing Direct Send is a small job with a large payoff, but only if it is done in the right order so your legitimate mail keeps flowing. If you are not certain whether Direct Send is open on your tenant, or what depends on it, we can check, produce the inventory, and close the gap without interrupting your business. We work with professional services firms, hospitality groups and not-for-profits across Sydney, the Northern Beaches and Brookvale, Central West NSW including Orange, Bathurst and Dubbo, Brisbane and Melbourne.
Call us on 1300 425 548 or get in touch through our contact page for a straight answer on where your tenant stands.
This paper is general information for Australian businesses and is not legal, financial or compliance advice. Configuration steps should be carried out or supervised by a qualified IT professional familiar with your environment.
